Team: Huntress EDR
Product: 3rd Party Antivirus, EDR/MDR/XDR (SentinelOne, ESET, BitDefender, Symantec, Sophos, Webroot, ThreatLocker, Fortinet, HP SureSense, Defender ASR, Sentinel One)
Environment: Exclusion list / Allow list
Summary: In order to allow full functionality, the Huntress Agent may need to be added to the allow list of third party security software such as AV, NGAV or *DR
The Huntress Agent and EDR both scan in read-only mode, however due to the nature of what we are scanning it can definitely cause false positives with other security software. You'll need to create exclusions if you are experiencing network slow-down, CPU spikes, programs not opening or slow to open, or high memory utilization.
We have observed unintended behavior when the Huntress Agent is not in the exclusion list (allowlisted/whitelisted) from the following products:
- Any AV that has an MS Office monitor (usually Excel).
- BitDefender
- ESET
- Fortinet (especially FortiClient w/Excel monitor)
- HP SureSense will also block the installer for the Huntress Agent. See HP SureSense Blocks Huntress Download for more information
- NGAV (multiple brands) can cause false positives when we hash the files (a read-only operation)
- SentinelOne (depends on how strict policies are)
- Sophos (Ransomware Detection/CryptoGuard)
- Symantec Endpoint Security
- ThreatLocker (use learning mode to fix)
- Webroot
- Windows Defender with ASR rules in place (rare)
We recommend adding the Huntress executables to your exclusion list:
C:\Program Files\Huntress\HuntressUpdater.exe
C:\Program Files\Huntress\HuntressAgent.exe
C:\Program Files\Huntress\Rio\Rio.exe
C:\Program Files\Huntress\hUpdate.exe
C:\Windows\System32\Drivers\HuntMon.sys
Additionally you may need the following exclusions in order to install Huntress:
C:\Program Files\Huntress\wyUpdate.exe
$env:temp\HuntressInstaller.exe
C:\Windows\INF\HuntMon.inf
32 bit Windows use "Program Files (x86)" instead of "Program Files"
Comments
0 comments
Please sign in to leave a comment.